Message ID | 1460024762-14592-1-git-send-email-ppandit@redhat.com (mailing list archive) |
---|---|
State | New, archived |
Headers | show |
P J P <ppandit@redhat.com> writes: > From: Prasad J Pandit <pjp@fedoraproject.org> > > When receiving packets over MIPSnet network device, it uses > receive buffer of size 1514 bytes. In case the controller > accepts large(MTU) packets, it could lead to memory corruption. > Add check to avoid it. > > Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com> > > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/net/mipsnet.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c > index f261011..e134b31 100644 > --- a/hw/net/mipsnet.c > +++ b/hw/net/mipsnet.c > @@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si > if (!mipsnet_can_receive(nc)) > return 0; > > + if (size >= sizeof(s->rx_buffer)) { > + return 0; > + } > s->busy = 1; > > /* Just accept everything. */ Prompted by Peter Maydell's review of the buddy patch to stellaris_enet: What does the physical device do when it receives such a packet?
+-- On Thu, 7 Apr 2016, Markus Armbruster wrote --+ | P J P <ppandit@redhat.com> writes: | | > --- a/hw/net/mipsnet.c | > +++ b/hw/net/mipsnet.c | > @@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si | > if (!mipsnet_can_receive(nc)) | > return 0; | > | > + if (size >= sizeof(s->rx_buffer)) { | > + return 0; | > + } | > s->busy = 1; | | Prompted by Peter Maydell's review of the buddy patch to stellaris_enet: | What does the physical device do when it receives such a packet? I tried to find a device specification, but couldn't find any reference MIPSnet. Jason, wdyt? -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
On 04/11/2016 03:37 PM, P J P wrote: > +-- On Thu, 7 Apr 2016, Markus Armbruster wrote --+ > | P J P <ppandit@redhat.com> writes: > | > | > --- a/hw/net/mipsnet.c > | > +++ b/hw/net/mipsnet.c > | > @@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si > | > if (!mipsnet_can_receive(nc)) > | > return 0; > | > > | > + if (size >= sizeof(s->rx_buffer)) { > | > + return 0; > | > + } > | > s->busy = 1; > | > | Prompted by Peter Maydell's review of the buddy patch to stellaris_enet: > | What does the physical device do when it receives such a packet? > > I tried to find a device specification, but couldn't find any reference > MIPSnet. > > Jason, wdyt? Can't find either. Looking at kernel driver git logs, the driver was even removed since 2012 because it was not longer supported by MIPS. Consider it indeed fixes a memory corruption, I tend to apply this first for 2.6. > -- > Prasad J Pandit / Red Hat Product Security Team > 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F >
+-- On Mon, 11 Apr 2016, Jason Wang wrote --+ | Can't find either. Looking at kernel driver git logs, the driver was even | removed since 2012 because it was not longer supported by MIPS. Consider it | indeed fixes a memory corruption, I tend to apply this first for 2.6. Okay, thank you. -- Prasad J Pandit / Red Hat Product Security Team 47AF CE69 3A90 54AA 9045 1053 DD13 3D32 FE5B 041F
On 04/07/2016 06:26 PM, P J P wrote: > From: Prasad J Pandit <pjp@fedoraproject.org> > > When receiving packets over MIPSnet network device, it uses > receive buffer of size 1514 bytes. In case the controller > accepts large(MTU) packets, it could lead to memory corruption. > Add check to avoid it. > > Reported by: Oleksandr Bazhaniuk <oleksandr.bazhaniuk@intel.com> > > Signed-off-by: Prasad J Pandit <pjp@fedoraproject.org> > --- > hw/net/mipsnet.c | 3 +++ > 1 file changed, 3 insertions(+) > > diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c > index f261011..e134b31 100644 > --- a/hw/net/mipsnet.c > +++ b/hw/net/mipsnet.c > @@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si > if (!mipsnet_can_receive(nc)) > return 0; > > + if (size >= sizeof(s->rx_buffer)) { > + return 0; > + } > s->busy = 1; > > /* Just accept everything. */ Apply to net-next. Thanks
diff --git a/hw/net/mipsnet.c b/hw/net/mipsnet.c index f261011..e134b31 100644 --- a/hw/net/mipsnet.c +++ b/hw/net/mipsnet.c @@ -82,6 +82,9 @@ static ssize_t mipsnet_receive(NetClientState *nc, const uint8_t *buf, size_t si if (!mipsnet_can_receive(nc)) return 0; + if (size >= sizeof(s->rx_buffer)) { + return 0; + } s->busy = 1; /* Just accept everything. */